Re: HTB + NAT on Debian (outgoing traffic shaping problems)

From: joseph philip (joseph_at_nntp.will.suffice)
Date: 05/14/04 

Date: Thu, 13 May 2004 21:04:41 -0400

On Wed, 12 May 2004 05:17:27 -0700, Laurynas Butkus wrote:

> hello,
>
> I'm running Debian Woody with 2.4.26 kernel. I have 3 NIC: eth0 -
> 192.168.0.0 subnet
> eth1 - 192.168.2.0 subnet
> eth2 - DSL link
>
> there are ~5 computers in every subnet and I want them to get equal
> incoming and outgoing traffic with possibility to borrow unused channel.
>
> I have successfully used htb.init to shape my incoming traffic but I ran
> into problems with outgoing. I try to mark outgoing packets with
> iptables, but it doesn't work...
>
> I do marking like this:
> iptables -t mangle -A PREROUTING -s 192.168.2.10 -j MARK --set-mark 101
>
> then NAT:
> $IPT -t nat -A POSTROUTING -s $FRIEND -j SNAT --to $IP_BLUE
>
> then in sysconfig:
>
> cat ./eth2
> DEFAULT=2
>
> cat ./eth2-2.root
> # root class containing total bandwidth RATE=320Kbit MTU=300
>
> cat ./eth2-2\:101.madcrock
> RATE=1Kbit
> MARK=101
> LEAF=sfq
>
> I try to shape myself down to 1Kbit but during upload I get 2 and more
> Kb/s...
> Please help me to solve this problem.
>
> Thanks in advance,
> Laurynas

I don't know about the scripts that you are using but here are a few
general things.

HTB is not recomemded for these 1Kbit stuff. For that use cbq.

Traffic control is implimented by:
a) Classes : These are the transmission classes which send the data out.

$TC qdisc add dev $EXT root handle 1:0 cbq $AVPKT $BW

$TC class add dev $EXT parent 1:0 classid 1:1 cbq rate 300kbit $ALLOT prio
5 $AV PKT $BW bounded isolated

$TC class add dev $EXT parent 1:1 classid 1:10 cbq rate 220kbit $ALLOT
prio 5 $A VPKT mpu 64 maxburst 40 $BW weight 1000kbit isolated

b) Queues: These are queues, one to EACH class that you created. If you
did not specify a particular type of queue, it will use FIFO. A class will
get it's packets from its associated queue.

$TC qdisc add dev $EXT parent 1:10 sfq perturb 10 quantum 1492

c) Filters: These are rules that identify a packet and send it to a
particular class-queue combination (called a "flowid"). "fw" tells it to
use the mark on the packet.

$TC filter add dev $EXT parent 1:0 protocol IP prio 10 handle $DEFAULT fw
flowid
 1:10

Without filters, it won't work.

Relevant Pages

  • Re: Babysitting on iptables requested :-)
    ... There might be set-ups where you want to restrict even the outgoing ... that is destined to port range 137-139, tcp as well as udp, incoming ... but would it work to drop or reject packets destined ... the "common" table I discuss later. ...
    (comp.os.linux.security)
  • Re: looking for a free/low cost firewall with low system requirements
    ... that does more than just NAT and State on both incoming and outgoing ... Something that blocks all the usual malware holes. ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Over 2 billion packets sent, 27k received- virus???
    ... > I have reboot my machine and router, but after a while the outgoing ... packets are very high while the incoming are reasonable. ... Outgoing mail is certified Virus Free. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cisco IOS ACL Configuration
    ... a router to allow packets outward from a subnet within a vlan, ... incoming ip packets need to be blocked. ... traffic from any other subnets on the LAN. ...
    (comp.dcom.sys.cisco)
  • Re: Boo - NetMeeting
    ... >> Did they jbex on incoming or outgoing calls? ... >> for both, but I 'think' from what I saw today, that incoming may ... Incoming Calls definitely do work differently (through a Router) ... Which is why the Router has to be Set to Forward the Packets to ...
    (uk.people.silversurfers)